SUSE reported that upstream patch for CVE-2011-3368 (bug #740045), when applied to httpd versions before 2.2.18, does not completely address the issue, when attacker sends HTTP 0.9 requests:: https://bugzilla.novell.com/show_bug.cgi?id=722545#c15 http://thread.gmane.org/gmane.comp.apache.devel/45978 http://thread.gmane.org/gmane.comp.security.oss.general/6102 The fix has been created upstream and committed to trunk: http://thread.gmane.org/gmane.comp.apache.devel/45978/focus=45979 http://svn.apache.org/viewvc?view=revision&revision=1188745 Upstream also confirmed this additional fix is not required for httpd versions 2.2.18 and later: http://thread.gmane.org/gmane.comp.apache.devel/45978/focus=45983 http://thread.gmane.org/gmane.comp.apache.devel/45978/focus=45985
This was assigned the name CVE-2011-3639: http://www.openwall.com/lists/oss-security/2011/11/15/12
This problem affects httpd packages in Red Hat Enterprise Linux 4, 5 and 6 that were released to address CVE-2011-3368: https://www.redhat.com/security/data/cve/CVE-2011-3368.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0128 https://rhn.redhat.com/errata/RHSA-2012-0128.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0323 https://rhn.redhat.com/errata/RHSA-2012-0323.html